Companies have had their hands full securing the growing number of endpoints in their organizations against attackers. But don’t assume that this is a lost cause.
When the Enterprise Strategy Group recently surveyed information security professionals, it uncovered a mixed picture. More organizations are finally treating endpoint security as a strategic imperative for their businesses as they undergo the process of digital transformation. But in many respects, you can also classify this as a work in progress with companies scrambling to make up for lost time to protect their digital data.
We recently spoke with ESG Senior Principal Analyst Jon Oltsik to dig deeper into the findings.
Q: What was the surprise conclusion in your survey research?
The biggest one is that there is still quite a bit of churn in the market around endpoint security, as well as a lack of knowledge about endpoint security. People don't know what they have. They don't know what their capabilities are and often over-react and swap things out when they may or may not need to do so.
Q: Meanwhile, organizations still struggle to protect a multiplying number of endpoints. How well do they understand the extent of the security threats they’re up against?
I don't think that most do. A company may buy a security tool and install it - as they always have- but they don't always understand the threat. There are different things you can do to address that to mitigate risk. But you need to have an understanding of the threat as well as an understanding of the security tools to protect your endpoints. And you have to understand the intersection of those two things. Not everyone does.
We have this concept called the endpoint security continuum, which goes from advanced protection on one side to advanced detection and response on the other.
Q: Do more enterprises still approach endpoint security tactically or they finally approaching it more strategically? I’m generalizing but it seems that they have usually defaulted to collecting one point solution after another, as the need arises.
That has been the history. To some extent, it's still true. So, for instance, companies that are very set on Endpoint Detection and Response tend to look at EDR products - regardless of whether they are offered by suite vendors or by vendors that also offer prevention tools. You still see some of that behavior, but the data suggests that there’s now a movement toward suites. We have this concept called the endpoint security continuum, which goes from advanced protection on one side to advanced detection and response on the other. The middle is made up of layered controls. We’re now seeing a change in buying behavior, where companies are looking for one vendor for all of those capabilities.
Q; Given the increase - both in the size and frequency - of breaches, organizations seem to be playing constant catch-up when it comes to endpoint protection. As if it’s a continuing work in progress.
Part of this is just the way that we have historically managed endpoint security. We bought endpoint products and configured them and then handed them off to IT operations. But IT is an operations organization, not a security organization. So, we kind of didn’t keep up and we are paying the price now.
Q: Do you think businesses have been overly complacent about the severity of the threats they face?
I think that’s true. Most companies are now waking up to the fact that there are new requirements and acting accordingly. In the past, though, there was this thought that, `Well, if I buy antivirus software, I am getting the researchers on the back end and they know what they're doing and can fix things.’ They saw anti-virus as a kind of “set it and forget it” technology. But there’s been continual innovation in the adversary community that they need to pay attention to and that means staying on top of new requirements.
Q: Has it taken news about big security incidents to convince them to take more initiative when it comes to defense planning?
It has. After the Anthem breach, every healthcare organization we spoke with was either doing something immediately or planning to do something around endpoint security. That was driven by healthcare CEOs going to the security professionals and asking whether their organizations were vulnerable. What has changed in the last few years is that it doesn't have to be in your industry any longer. You see a data breach and go back to the security people and ask, `Are we vulnerable?’ That’s definitely accelerated the pace of change in security.
Q: When it comes to securing endpoints and being able to track and respond to intruders, what help do you think deception capabilities can offer enterprise security managers?
I think it's helpful - especially organizations that are very analytics-driven because you can use those deception nodes to collect a lot of good intelligence. I think that's helpful. The technology has promise and has proven to be effective in the past. But there is not a lot of knowledge and skills about deception technologies so for the deception vendors, it's about easing people into that technology.
Q: From an uber perspective - small “u” - how do you think the process of digital transformation is going to influence enterprise thinking about endpoint security strategy?
I think there is still a lot of reactive behavior where companies deploying these solutions realize that they also need to bolt on security. The encouraging thing is that there is more proactive thought about how to secure these digital transformation processes. They have great potential for improving operations and revenues, etc. But they also expose more data as things get digitized that weren’t digitized before and processes get automated that weren’t automated before. And the risks are higher. More CEOs recognize that. So, I think the word is out.
Q: The report also notes that most EDR deployments remain works in progress. What’s your take on that?
EDR is a hands-on managed security analytics activity and very few companies have the skills or the scale to do those kinds of things. So, EDR is a bit of a special use case. Endpoint protection is about applying new technologies to block bad things from happening. So, theoretically, once you install the product, it should be pretty effective.
We encourage you to share your thoughts on your favorite social platform.